SSL Certificates
Check the SSL certificate for more information.
It could contain other subdomains.
whatweb
Run whatweb to gain information about the target
$ whatweb -v -a http://SERVER:PORT
Fuzzing
FFUF
Directory Fuzzing
$ ffuf -w directory_wordlist:FUZZ -u http://SERVER:PORT/FUZZ
Extension Fuzzing
$ ffuf -w extension_wordlist:FUZZ -u http://SERVER:PORT/indexFUZZ
Page Fuzzing
$ ffuf -w content_wordlist:FUZZ -u http://SERVER:PORT/blog/FUZZ.php
Sub-domain Fuzzing
$ ffuf -w subdomain_wordlist:FUZZ -u https://FUZZ.SERVER:PORT/
vHost Fuzzing
$ ffuf -w subdomain_wordlist:FUZZ -u http://SERVER:PORT/ -H 'Host: FUZZ.SERVER:PORT' -fs xxx
Parameter Fuzzing - GET
$ ffuf -w param_wordlist:FUZZ -u http://SERVER:PORT/admin.php?FUZZ=key -fs xxx
Parameter Fuzzing - POST
$ ffuf -w param_wordlist:FUZZ -u http://SERVER:PORT/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx
Value Fuzzing - GET
$ ffuf -w value_wordlist:FUZZ -u http://SERVER:PORT/admin.php?id=FUZZ -fs xxx
Value Fuzzing - POST
$ ffuf -w value_wordlist:FUZZ -u http://SERVER:PORT/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx
LFI Fuzzing
$ ffuf -w JHADDIX_LFI:FUZZ -u http://SERVER:PORT/admin.php?page=FUZZ -fs xxx
$ ./search_censys.py -d victim.com
$ ./dnsrecon.py -d victim.com -t brt -D subdomains-top1mil.txt
Web Screenshots
If you have many URLs to go through, instead of manually visiting them, you can take screenshots of the websites instead for a quick review
$ webscreenshot -i urls.txt